Yeah... not updating is usually not good. The updates are usually protecting you from exploits like these. As far as the versions of this affected, I'm pretty sure every version released within the last year is affected. If you've got a version as current as that, you're affected. If you don't update, you'll always be affected. If you don't update, you'll be vulnerable to WAY more exploits than just this one.

Reminds me of the problems Rift had when they first launched. Authentication done in the patcher to the login server, then passing an "authenticated" token to the game server to work with the player's client. For Rift, the hackers figured out they could spoof the login token to the game server at random (basically they just spit out long random numbers that would match an authentication string from a logged in session). In a nutshell, the hackers didn't even need to know the username/password as they were bypassing the process. I'm wondering if the same thing may be going on here. This is one reason why Coinlock in Rift was first implemented, to prevent the Chinese hackers (and yes, the hack originated in China) from stealing coins from random accounts.

That's what I was thinking too. I remember when all that went down, and Trion didn't handle it as well as I thought they could have. People were crying foul about the authentication system for a week or more and they kept patting us on the head and denying that it was a problem until someone dropped in on the forums who had replicated the hack himself and provided direct evidence of it. Only then did they even remotely acknowledge that the problem was with their client, and after some furious coding they pushed out a hotfix not too long after that (kudos to them) and gave the white hat guy a lifetime sub for his trouble. But seriously, they didn't acknowledge anything until they were forced to.

People were crying foul about the authentication system for a week or more and they kept patting us on the head and denying that it was a problem until someone dropped in on the forums who had replicated the hack himself and provided direct evidence of it.

One of the biggest problem with IT security is there's very little acceptance that you need to be trained in this stuff. The result is a lot of people who assume "I can't think how this could be broken" is equivalent to "This cannot be broken".

Cases like this, where it sounds like they both missed the need for a proper random source and how long the tokens needed to be, highlight this.

Isn't the email address and password saved in GW2.dat when you ask it to remeber those details? If the client can read it then any executable with the proper logic will be able to as well.

Just contacted support as well to request removal of my credit card on file from them in the gem store. Apparently if you save your credit card info, they don't ask you to reenter any detail, not even the CVV. Sad. I can't even find a way to unlink it myself via the in-game interface.

If somebody has your email address they can request a reset :s Doesn't actually do anything unless they also have your email login info from, say, a separate incident. In which case you should worry about more than just your gw2 account. People incorrectly assume that the only way to get into someone's account is to attack the person or their PC directly, when whole databases of email/account name/password combinations get stolen from major sites with ever-growing frequency.

Tldr, use unique passwords for all accounts you care about and tie them to gmail with 2step auth on.

when whole databases of email/account name/password combinations get stolen from major sites with ever-growing frequency.

This.

People need to start understanding the risks of re-using the same email/password combination for multiple games/sites. All it takes is one stupid site that:

stores login info in plain text (or doesn't, but gets hacked anyway)

gets hacked

and then every person re-using their login information on that site is compromised across every game/service they are a user of, as lists of those compromised email/password combinations get shared amongst the hackers.

This isn't even counting the various sites/scams that are set up specifically to fish for your login info (The hackers set up a game hint site, forum, whatever, that requires registration. In requiring you to register, they are hoping that you will re-use the same login info you use for other games/sites - you are basically giving them your account credentials, and saying, "Here you go. I trust you!").

Biometrics still uses a token system for authentication. Anything can be spoofed. Even if a company goes full fledged PKI and issues you a smart card/private key -- there are still ways around it.

The best choice is to play smart, understand how best to protect yourself and accept this unfortunate truth. I'd love for what you said to be true/possible in the future - I just don't see it happening.

I shouldn't have to lock my doors and carry a set of keys either. Reality -> Desire.

And to solve your issue, you can use three passwordss: One for the game, one for the associated email, and one for community websites. When that gets hacked (as they often do), you'll be somewhat safer.

The big problem I see with fingerprint/retina based passwords is that once one of those is compromised (and have no doubt that it will be - hackers always find a way), the poor person who was compromised will be screwed (you can't really call ArenaNet and ask them to do a fingerprint/retina reset).

Ideally the only way for that to happen would be for someone to chop off your finger (and somehow get you to cough up the password as well, since both would be needed).

Of course, some bug may be discovered that allows a hacker to somehow pretend to be you. If that happened, the OpenID provider would have to fix that bug. My OpenID provider is Google, so in this case it would be their responsibility, not ArenaNet's.

OpenID saves the developer a hell of a lot of effort (no need to hash passwords, no need for extra support staff to handle password resets, deal with hacked accounts, etc.). I really don't understand why it's not in more widespread use, to be honest. We have the technology today, right now, to allow people to log in to any service using a single set of credentials securely and safely. It sickens me that it's not being used.

Fingerprint scanners are very easy to "hack." For the former you simply need to be able to lift a clear fingerprint off something. Most "retina scanners" don't actually scan the retina because its considered too high risk of eyesight damage as well as being more prone to bad reads, taking much longer and have a much more narrow range of acceptable angles and distances from which to scan to be used for general security purposed. For general purposes they actually use iris scans which are generally easy to trick by using high definition pictures of the eye.

The main point I was getting at was OpenID/OAuth, not biometric passwords. An alternative would be two-factor authentication with a password and a SecurID token or something similar. Again, this is technology that exists today, and it's not being used to its full potential.

This reminds me of all the WoW players who wanted the authenticator, and yet most of my friends who had it got hacked, and yet I who just had a smart password never ever had a problem with account security.

Highly unlikely; for a scanner with a physical connection to whatever's being secured, there's hope that you can check that you're scanning a 3D object (not a photo), that it's alive (warm), possibly texture, but those are all expensive to do.

For a remote connection, it's difficult to see how a "replay scanned fingerprint" device couldn't be developed and trivially used.

OK, my point wasn't that biometric authentication is a good idea, it was that OpenID is a good idea. It doesn't really matter what form of authentication you use (as long as it's secure), what matters is that I should be able to log in anywhere using one set of credentials, and I should be able to do it securely.

Right. That's in case you lose access to the old email account, so you can change it without having to deal with support. In the much less likely scenario that someone compromises your game account but not your email account then you still know the email was changed and you can contact support and they can roll it back.

I've had the same, and I'd like to ask but did ou by chance have D3, or starcraft, I know there's got stolen recently but luckily, my email pw is different, and i had an authenticator on diablo so nothings come of it yet, other than annoying emails.

Same here. There have been two attempts already to reset my password and one phishing attempt after that. My half-uneducated guess would be that they run emails trough the reset mechanism and whoever the GW2 website confirms as valid gets the phishing email.

It's the domain itself (guildwars2.com and ncsoft.com in this case) that matters - every subdomain is controlled by the person/body who controls the domain. superhappyfunsite.guildwars2.com would be as legit as www.guildwars2.com, for example.

It might be that the email came out from an ncsoft.com mail server - if that's the case, having links as *.ncsoft.com reduces the chance of the mail being marked as spam.

I too received that message. I'm wondering if a email list got out. I know of a few people now that have gotten that password reset today and none of them have compromised PCs.

For the record I have a unique password for every place that wants one. I try to use 24 characters if possible. Someone could steal my password on Slashdot and it would be useless to them as it is the only site that it works on.

This happened to me too. But they failed too. My friend wasn't so lucky though. What worries me is going back to the gw2 site there are no extra preventative steps to secure an account. You know, stuff like security questions or things that can be validated.

I deleted the mail and checked my gmail access logs, no unusual access. Changed my GW2 password to be sure.

I use lastpass to generate different passwords for different sites so one being compromised doesn't affect the others.

Was trying to think what could have associated my email address with such an attempt besides a vulnerability in their database, besides various gw2-related sites I did purchase a cd-key for nightfall+eye of the north from an online store. Fairly sure most of those sites also sell gold and other shady stuff so that's a possibility.

If you send support a ticket about a possible vulnerability through which people could be hacked, it will probably get marked as a top priority issue whenever it gets read whether or not it's actually a real vulnerability or not.

No sane company would ignore an email detailing a possible exploit through which people could be hacked.

I have sent in a support ticket with this info, read from bottom up since edits go like that:

Customer [Ehaw] via CSS Web 08/28/2012 05:54 AM
I've been looking around at multiple sources, Facebook and Reddit since you at the moment don't have official forums up, and I'm seeing a couple of people are having the same issue as me. One person on reddit said he recieved several email about password resetting. I know this might be a long shot but could it possibly be on your end? If this might be an issue ArenaNet should look into this as soon as possible. There might be a flaw in the system. I don't think my email was hacked or anything of the sort because A. It usually tells me IF someone has logged on to my email account outside of my IP and B. I didn't find any suspicious malware on my computer. This could go either way and it would most likely be on my end, but since the communication with other players is very small I can't possibly know if anyone else has had this problem and only you guys would know.

Customer [Ehaw] via CSS Web 08/28/2012 05:39 AM
My password and email just got reset and I'm now without a GW2 account. I sent in a support ticket (2 since I got double charged for the purchase). I scanned my computer and I didn't see anything important or malicious., scanned it with 3 different programs being Malwarebytes and ComboFix which does a deep check. Thing is nothing else has been "hacked" and I've never had this problem with any other game or program or anything of the sort from my many years of online gaming. Also, I haven't used my password to log into GW2 since I bought it on Friday. After that I clicked Remember Account Name and Remember Password and went on my way.
Customer [Ehaw] via CSS Web 08/28/2012 04:17 AM
I have proof of purchase (Credit Card) if you need it. Just tell me what I need to provide and I'll give you it.

Customer [Ehaw] via CSS Web 08/28/2012 03:44 AM
Hi my account recently got it's e-mail and password changed but I did not reset either of them. What info do I need to supply to you in order to fix this?

It took around 15-16 hours to get an automated response, and now I'm waiting for support (An actual person) to email me back. Automated responses don't help my situation but it could possibly help others because I could imagine people don't read the FAQ before submitting (Which is pretty much the automated email).

That's fine, you may be completely on the up and up here and just be going about this in a terrible way because you really believe that upvoting this to the front page will solve the hacking issue.

That said, any one that went through the fiasco that was the D3 hacking witch hunt is going to take these kind of claims with a grain of salt. There were dozens of posts like this a day claiming some crazy hack and every single one turned out to be completely bogus.

I would also point out that just a few days ago a reddit post was put up to raise money to give ArenaNet a big thank you gift. That was an altruistic gesture in just the same way that this is AND it got the attention of Mike O'Brian and the default ArenaNetTeam account. Reddit has power, I'm telling you.

For what it's worth, I personally do not see any problem with what you've done here. It's a self-post, not some image whoring for karma, so people can't be upset about that. It's worded very well without spelling or grammatical errors, so people can't be upset about that. I guess the only thing people would chastise you is for not just doing all the things you listed in your post. There is no harm that can come from opening a support ticket, and messaging all of the ArenaNet redditors here as well.

Get to it. If you sincerely believe that you have legitimate information on something as crucial as this, why not just do everything you can to nip it in the bud?

What happened was a bunch of people posted threads exactly like this swearing they had figured out some vulnerability that no one else had that was causing the issues.

It ended up that they were all wrong and it was just the normal low hanging fruit situation with people having crappy security procedures with their accounts. So you can understand people being skeptical.

I don't think this is miraculously cure the vulnerability, I simply want to bring it to ArenaNets attention in a quick and expedient way. If you hadn't noticed, there is no email for them, there are no forums, twitter is deluged, facebook is a shitstorm of likes and the support route is probably as underwater as twitter is.

That's exactly what he did. This post is essentially saying "hey, PM me if you work for ANet!" which is as expedient as you can get without publishing the exploit in public and causing hundreds more accounts to get hacked.

I also got a rogue password change email a while back and now I cannot log into the gw2 game client or the gw2 website. Been trying to change my password to try to log in with no success. However, I do know that the passwords are being changed, I can log into my Guild Wars 1 game client.

Been trying to get help from the support page for a few days now, but no response outside of their automated ones.

if you see the password reset email, its only step one. Go and make sure you can access your account right away, and go to the "security" tab, and kick out all but your current session(record IPs tho). Speed is of the essence, because then, you have to hurry and change your GW2 pass, and then any other service that uses that pass. Do not follow the link the email, (I suspect that is part of the attack for them to exploit), and hope you beat them to changing your passwords.

I have 3 different e-mail accounts, which I split by how they're used. I have a WoW account attached to one e-mail, but WoW phishing attacks frequently end up on another. They don't know, they're just guessing.

People are reporting that their accounts are getting hacked with no access to their email address. And what I have seen plays right into that. I am concerned that it's more than just the usual keyloggers, lazy passwords et al.

If there was an actual problem, he'd be posting "I have a POC that you can dump arenanet's account DB. Please contact me if you are arenanet staff." Not "I sort of think there could be a vulnerability here!"

If he did that, it would not increase the odds ANet would see it, but it would increase the odds to near-certainty that crackers would take note (and have a focus for their research). Keeping it as general as possible with as few details as possible while in public is the correct approach.

No, it would make the odds absolute that ANet would see it(and their time-to-fix far quicker). "Crackers" wouldn't have any kind of focus from this, because that is already their focus. If you know what you're talking about or actually have a vulnerability, you can be pretty specific without having to give anything you could use to find the vulnerability away.

Any hint to the company is also a hint to black hats. Even the seemingly very innocent phrase "there exists a vulnerability" is actually not 100% harmless, as it confirms that their efforts are not futile.

This exact thing has happened during the Diablo 3 launch and this is most likely the same case seeing as people are reporting that their systems have not been compromised by malware.

From what we found out, the Chinese hackers data mined the game's fansites (who all have low/non-existent security) for people's login and password details for months to years. Then they use this information combination to hack your game account with a bot.

In short, I am sorry if anyone has been hacked and I urge everyone to change their passwords to something completely unique immediately.

The best way to report these things is a private support ticket or email to ANet. Any public method (Twitter, forum posts if the forum was up, getting a Reddit post upvoted to the frontpage) just alerts the unscrupulous among us that there's an exploit to find. Waiting 24 hours to delete it to give the hackers even more time to find this now that you have a private channel is just making it even worse. YOU FOUND YOUR CONTACT METHOD. DELETE THIS SUBMISSION PLEASE.

You guys should be aware, that the "password reset" request email is real, but this exploit is a two step process. they are doing that to verify that your email address is being used in the game, and from there, they perform whatever it is that is getting them the passwords. I would suggest you all go and create a new email somewhere, at least for a short time, and change it yourself, so that they are not guessing based off of account names(accountname@4majoremialproviders.com). The current system happily tells them if its a real email address in use or not, and then they go from there. Also, the password reset requests have no IP that they were requested from. lets hope that these gigantic gaping holes get fixed soon. I suspect that they are using email addresses from the recently exploited WoW sites, or using some in game account, and checking emails based on account names(hey, I have a chubbysumo email address at 4 different providers, and I know its common to use it). I was getting those about every hour, and then I logged in and changed my email address to something that was never used with a game account before, and then they stopped. I also changed my password to something much longer, and much more complex. I suspect there is a server side exploit they are running that is getting them in.

Well i mean you already made a post about it. Chances are anyone who knows how to steal/take/change/exploit/hack accounts is going to find what you found. So why you are asking what you should do instead of reporting it everywhere possible sort of makes me question your motives past wanting glory for finding an issue. Sorry if this isn't true at all but it sure looks like it the way you made this post and asked for the votes when the community would do that regardless. [also downvotes should be expected as those who do abuse something probably don't want this front page or just don't like your post don't take it personally.]

I'm asking what I should do because ALL of the options I have listed are lackluster or flawed in someway. If only ArenaNet had the bloody forums up I'd post it on there and forget about it.

What exactly do I gain from this? After I raise the attention of a ArenaNet person, no one on this subreddit is going to hear anymore about it. I'll just report what I know and go about my merry way. I don't want glory or attention.

This isn't a school production and you are at no personally risk for doing this so the comparison is flawed.

All the options are flawed on your say so. Everything i have reported in the past has been dealt with one way or another. Have you done any of them as of yet or are you still ignoring them over the hope of a better chance instead of increasing your chances by doing them all?

Please, do this (all of the above). These channels are in place for a reason, and even if it takes a while to get noticed it's better than not submitting anything. Think about it, best case scenario in your eyes is that you get in personal contact with some ANet devs through this post. If you'd already submitted to the established channels before hand, your worst case scenario would be that they still see the information, just not as quickly. Currently, your worst case scenario is that nothing is done at all because you've made no effort to contact the devs directly on their terms.

White hats report privately. Public reporting is just shooting up a signal flare that says, "HEY HACKERS, THERE'S SOMETHING TO FIND BECAUSE I FOUND IT!" Tweets were wrong. A forum post if the forums were up would be wrong. Getting a reddit post upvoted to the frontpage is wrong. A private message to support was the way to go here and waiting 24 hours to delete this post now that he has a private channel is just making it worse.

I'm going to copy and paste what I posted in another thread, I hope this can get some attention. It's really frustrating not knowing if this issue is affecting others because they have no official forum:

My password and email just got reset and I'm now without a GW2 account. I sent in a support ticket (2 since I got double charged for the purchase). I scanned my computer and I didn't see anything important, scanned it with 3 different programs being Malwarebytes and ComboFix which does a deep check. Thing is nothing else has been "hacked" and I've never had this problem with any other game or program or anything of the sort from my many years of online gaming. After I scanned and I didn't see anything I started to this if it was even on my side at that point. Seeing your post gives me more reason to believe it might be on ArenaNet's side (Almost said battlenet!). Also, I haven't used my password to log into GW2 since I bought it on Friday. After that I clicked Remember Account Name and Remember Password and went on my way.

It might be my side, it might be theirs. At this point there's no sure fire way of knowing until I can talk to someone about it.

One more thing. If ANYONE accesses my gmail it tells me. I've had instances before where it said I had logged on with an IP out in China. This was many years ago and I'm pretty sure that's still in place. I don't believe they ever had access to my gmail, also the emails (Password reset AND email change) were both unread.

When this type of hacks come in this manner is usual is the result of a centralized vulnerability. First thing that comes to mind is Rift. If there was a more centralized hub that everyone belonged to then maybe we could blame KL's and malware. Phishing would also need a more centralized hub to pinpoint gamers that would also possibly buy GW2. Poor pw is always thrown around, but again that takes more time. Also why all the effort to hack here? You dont need to buy gold from the gold scammers when you can buy it right inside the game.

Same thing happened to me, but my password didn't reset. I can't fix your situation, but I can tell others how to prevent it. You did the right thing submitting the ticket. This is the hardest part, but just try to be patient as much as possible and someone will help you as soon as they can. They're so swamped right now and looking to hire more support staff it seems to accommodate the people.

I'm pretty patient when it comes to something like this. I know they'll be busy so I'm not bothering to submit multiple tickets, get upset or anything of the sort. If the wait time ends up being a week it will possibly be a problem for me. They don't have a phone number so I can't contect them outside of a ticket. I'm just worried that if there is a flaw in their system that they won't realize it for a while.

I forgot my email/password also from my original guild wars account and used the reset option. Got an email the first time yesterday then today i received the same email again. I did not click on the second email link. i went in and made my password stronger.

For other games you usually sent exploit and vulnerability issues per email. I'm not sure since there has been no official address for this (to my knowledge)... but from previous experience usually the emails look like this security@arena.net or exploit@arena.net
try sending your report at this addresses as well as at support@arena.net while you look at other means to reach them

I strongly believe that blizzard got hacked and that they used all the same username/passwords from WoW to hack GW2. I believe thats how they comprimised my account. i used the same combo. I knew blizz got hacked but I havent played WoW in a year so i paid no mind to it. but they probably used that data to get into my GW2

Come on people, stop the downvotes. I'm trying to be a good community player here. It's a self post, I not karma whoring. I am, shock horror, doing this for totally altruistic reasons. I can just as easily bugger off into the game and say screw you to all the people who have been hacked or are being hacked.

The problem is that if were to tell us how we're vulnerable, anyone with malicious intent would know how we're vulnerable, too. That's why he wanted to tell someone from ArenaNet directly (besides the fact that most of us would be unlikely to be able to do anything with the information to protect ourselves).

Yeah, I am aware of the problem you outline but security through secrecy doesn't protect anyone just the people pulling the scam at the moment, get it out in the open if you want people to be able to protect themselves.

If he's talking about the issue I think he is, it's technical in nature and there is nothing you can do. It's a vulnerability with the login system and only the devs can fix it. Revealing that info on Reddit would allow more people to utilize the hack and help nobody.

Yeah i know that, this is an old argument and the idea that hiding the exploit isn't the answer, im a little surprised reddit feels this way considering how insane it is. There are literally industries that exist because companies hide their software exploits instead of fix them. You want it fixed, publish the problem. Or you know downvote people because you disagree with them that always works. But hell what do i know, maybe I know how your windows box can be instantly hacked but hell, ill just tell MS, maybe that will make you safe, you don't need to know anyway.

Ok, you clearly don't have any knowledge of the security industry, which isn't a bad thing, just don't act like you do. I do have a lot of knowledge about the computer security industry however, so I'll share some of it.

There exists a concept called responsible disclosure. You make a reasonable attempt to inform the affected party (ArenaNet) about the issue. You then wait a reasonable amount of time for them to fix it (in this case, I'd say 3-5 weeks, based on the problem). If they don't fix it after you've informed them of the issue, you could disclose the vulnerability to a responsible third party, such as a tech news site, and announce that you'll release the vulnerability to the public in x number of weeks, say 2-3 weeks. This puts additional pressure on the third party to fix the problem before the public is made aware of it. If the third party still doesn't fix the problem, you disclose the vulnerability to the public, putting the maximum amount of pressure on the third party. They'll really have no choice but to fix it.

The majority of responsibly disclosed vulnerabilities are fixed in stage 1, after you inform the third party of the issue.

If you reveal the vulnerability before taking the steps I've laid out, it can and will be seen as malicious, can cost the third party millions of dollars in damages, and can seriously impact their customers. Nobody wins, except for script kiddies who use the exploit to fuck over innocent people.

I do understand this concept actually but I disagree with it, I like many others prefer zero security through obfuscation especially when determined by fiscal policy. I mean this shit stopped making sense a hundred years ago. I understand that companies prefer a warning but that's an argument against my right to know the dangers of the product I am using, this isn't an ethical stance regardless of how common place it becomes.

Your approach is the selfish one, he can post the issue here and most of the players on Reddit can protect themselves (if it is even possible). At the same time he puts all the players who do not use Reddit at greater risk.

I got one 2 days ago saying my password has been reset. Overnight I got an email saying there was a request for my account email address to be changed, and now I cant login because my email address isnt linked to my GW account anymore. I really dont see what I might have done wrong here to open myself to this exploit

I got 2 password reset emails overnight that I didn't ask for which made me a bit worried. I also changed my password to something longer and more secure, I hope that's enough since I don't see what else I can do.

The only time GW1 ever had any security issues is when an exploit was discovered with NCSoft master accounts (which give access to change Guild Wars passwords). ANet ended up added an extra login prompt where you had to provide the name of one of your characters.

There's probably some people being hacked through the malicious links people keep sending through tweets to the Guild Wars 2 twitter account, probably some on Facebook to. I know when scrolling through replies or convos of either page, I've ran across a couple links which looked like images of a bug that when clicked triggered my virus shield and we're subsequently blocked, thankfully. I'm pretty sure not everyone was so lucky who may have been curious like I.

Here's a protip: If something doesn't have an avenue for you to report a vulnerability, you report it the best way you can. If nothing happens after a reasonable amount of time, you post the POC (Proof of Concept) for all to see.

This is why people sell vulnerabilities or publish them, because companies simply cannot be bothered to have an avenue for rapidly reporting them.

It has come to my attention from another thread that when someone (hopefully you!) changes the email on your account, it sends the confirmation link to the NEW email instead of the old one.

If you get an email that says someone requested a password change, get on the site and change it immediately. If you don't, chances are you'll get another email not much later saying that your email has been changed. Now these seem like phishing emails but THEY ARE NOT.
The arena net email system is not so great if you think i'm lying. When you go to your email and change it to a new email, they email your NEW email as a confirmation of the change instead of your old one.

I have been trying to get my account fixed since release, Had no help from any support, have posted multiple threads only to be told the obvious (i was hacked). I recovered my account and played on it for a day then they decided to block my account...

So, someone is trying to activate a ton of GW2 accounts on my email address. I just got 4 today, and I suspect its the phish of the year. They are not sending out emails to "activate" your account, its a phish. People mistakenly click it, and then give someone access to their account by default. fuck, could be the phish of the year here. Its preying on newbs.

Im putting this out for all that are truly curious, but pull some of the email header info from some of the emails you are receiving, and you will have a clue as to how this is working for an exploit. IN studying the 4 "thanks for registering your GW2 account" emails I have gotten, its painfully obvious what is occurring.

The reason why people get hacked in GW2 is because they registered with the same contact information on a fansite, which got hacked. It's the number 1 tool for goldsellers to get the info. Simple as that.

Using the same login info for Guild Wars 2 as a previously hacked service. Even if there is no way to know a player's email address, most are going to use the same account name as other services. So maybe somebody has MrKitty.4567 and they also have an email address of MrKitty@gmail.com

Harvesting email addresses from GW2 fan sites (or hacking them and taking login information) and then sending a password reset and then using number 1 to access the email account. Since many users are incapable of fitting a square inch square block through a square mile hole they will be under the impression that since nobody can see their email address at the game's website this will somehow make their email secure.

Being phished or being and idiot and giving their login info to a "friend" (also known as being phished and not wanting to admit it).

A virus that logs what you are typing.

A vulnerability that allows somebody to login without knowing the correct password.

The most likely way is number 1. Most people won't change their password between sites.

To be completely frank, the most effective way of ArenaNet taking a potential exploit seriously is to post THE ACTUAL EXPLOIT here on reddit. We all understand the risks involved with that, but it would absolutely lead to the fastest response against such an exploit.

That approach may be effective, but I doubt it's the best way to do it. Responsible disclosure of a security gap involves privately contacting the vendor and giving them a reasonable amount of time.

Source: My background in information security

Rationale: The vendor has many things to work on at once and they will still make money anyway. The competing hackers and wannabe-skiddies have nothing better to do, and a lot of monetary gain at stake. So if you post it where everyone can see it, who do you think gains an advantage?

We all understand the risks involved with that, but it would absolutely lead to the fastest response against such an exploit.

You are aware that ArenaNet devs are currently tired from having been working for several days, and outnumbered several thousand to one by people with an interest in exploiting any security hole? Also, any solution they provide has to be universally suitable, while crackers just have to get 1% of users for it to be extremely profitable.

So actually I don't think you actually understand the risks, or the consequences of what you're suggesting.

Just gonna throw this out there, but I'm guessing the people at Anet know more about how this game works, its vulnerabilities, etc.

Most cases of getting hacked just come down to keyloggers, malware, getting your email hacked, etc. Just use strong passwords (especially for your email), don't download random shit, etc. It's the same common sense stuff that people have been failing at since the internet was born.